Security Brief: Advisories, Spam and Vulnerabilities

In the week that’s about to pass (June 11 - June17) we’ve seen a lot of interesting things but, if we had to appoint a particular topic that marked it, it would have to be scams and spam.

On Monday, we saw that Amazon was warning its customers about a spam campaign that posed a serious threat. Malware-spreading emails that purported to come from DHL, Facebook, Twitter, Classmates.com, Verizon, Best Buy and LinkedIn have also caught our attention.

As far as LinkedIn is concerned, it’s a bit more complicated. After the security breach that affected around 6.5 million social media customers, the company started sending out notifications.

Experts have found them to be troublesome since they were actually being sent out to email addresses unrelated to the affected user. Furthermore, all that spam made around 250,000 internauts mistake the real password reset alerts with unsolicited email.

This week we’ve also had the opportunity to speak to a number of experts on the topic of password security. Experts such as Graham Cluley of Sophos, Sorin Mustaca from Avira, David Barclay from Trend Micro, Ucha Gobejishvili, the hacker Gambit, and ESET’s Aryeh Goretsky have inspired us to write a comprehensive advisory on how to safely store passwords.

This week we’ve also learned that security researchers from Kaspersky have found the missing link between Stuxnet and Flame. As it turns out, Flame was first and the developers of Stuxnet may have borrowed a component to help their piece of malware spread via USB drives.

In the vulnerability section, we’ve also had some interesting stories to share. AMD responded to CERT’s notifications regarding some security issues related to video drivers.

Then, we’ve learned about a dangerous vulnerability in MariaDB and MySQL, which could allow an attacker to connect to a server by using an incorrect password.

The father of Linux, Linus Torvalds has revealed that Microsoft’s UEFI keys may be a good solution, but not one that couldn’t be bypassed by “clever hackers.”

We’ve also published the great interview we’ve had with Adam Gowdiak of Security Explorations at this year’s Hack in the Box security conference in Amsterdam.

Other security holes worth mentioning are the ones patched by Oracle with the June 2012 Java SE CPU, an SQL Injection flaw in the website of University of Alaska, a memory corruption issue in Firefox 13, a zero-day in Microsoft’s XML Core Services, and a privilege escalation vulnerability that affects numerous companies such as Intel, Oracle, Red Hat and many others.

A number of hackers and fraudsters have been arrested or indicted this week.

We have talked about the arrest of 10 Romanian fraudsters, the indictments of a Dutch hacker accused of selling 44,000 credit card details and of the famous Ryan Cleary, and the 106 raids conducted by German police.

Finally, in the online monitoring laws section we have the draft of UK’s Communications  Data Bill and the legislation that banns Ethiopians from using VOPI technologies.